# Thunderspy

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Thunderspy
> Markdown URL: https://mediated.wiki/source/Thunderspy.md
> Source: https://en.wikipedia.org/wiki/Thunderspy
> Source revision: 1264769593
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Security vulnerability

Thunderspy A logo created for the vulnerability, featuring an image of a spy CVE identifier CVE-2020-???? Date discovered May 2020; 6 years ago (2020-05) Date patched 2019 via Kernel DMA Protection Discoverer Björn Ruytenberg Affected hardware Computers manufactured before 2019, and some after that, having the Intel Thunderbolt 3 (and below) port.[1] Website thunderspy.io

**Thunderspy** is a type of [security vulnerability](/source/Vulnerability_(computing)), based on the [Intel Thunderbolt 3 port](/source/Thunderbolt_(interface)), first reported publicly on 10 May 2020, that can result in an [evil maid](/source/Evil_maid_attack) (i.e., attacker of an unattended device) attack gaining full access to a computer's information in about five minutes, and may affect millions of [Apple](/source/Apple_Inc.), [Linux](/source/Linux) and [Windows](/source/Microsoft_Windows) computers, as well as any computers manufactured before 2019, and some after that.[1][2][3][4][5][6][7][8]

According to Björn Ruytenberg, the discoverer of the vulnerability, "All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop. All of this can be done in under five minutes."[1] The malicious firmware is used to clone device identities which makes classical DMA attack possible.[4]

## History

The Thunderspy security vulnerabilities were first publicly reported by Björn Ruytenberg of [Eindhoven University of Technology](/source/Eindhoven_University_of_Technology) in the [Netherlands](/source/Netherlands) on 10 May 2020.[9] Thunderspy is similar to [Thunderclap](/source/Thunderclap_(security_vulnerability)),[10][11] another security vulnerability, reported in 2019, that also involves access to computer files through the Thunderbolt port.[8]

## Impact

This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources in this section. Unsourced material may be challenged and removed. Find sources: "Thunderspy" – news · newspapers · books · scholar · JSTOR (May 2020) (Learn how and when to remove this message)

The security vulnerability affects millions of Apple, Linux and Windows computers, as well as all computers manufactured before 2019, and some after that.[1][3][4] However, this impact is restricted mainly to how precise a bad actor would have to be to execute the attack. Physical access to a machine with a vulnerable Thunderbolt controller is necessary, as well as a writable ROM chip for the Thunderbolt controller's firmware.[4] Additionally, part of Thunderspy, specifically the portion involving re-writing the firmware of the controller, requires the device to be in sleep,[4] or at least in some sort of powered-on state, to be effective.[12] Machines that force power-off when the case is open may assist in resisting this attack to the extent that the feature (switch) itself resists tampering.

Due to the nature of attacks that require extended physical access to hardware, it's unlikely the attack will affect users outside of a business or government environment.[12][13]

## Mitigation

The researchers claim there is no easy software solution, and may only be mitigated by disabling the Thunderbolt port altogether.[1] However, the impacts of this attack (reading kernel level memory without the machine needing to be powered off) are largely mitigated by anti-intrusion features provided by many business machines.[14] Intel claims enabling such features would substantially restrict the effectiveness of the attack.[15] Microsoft's official security recommendations recommend disabling sleep mode while using BitLocker.[16] Using hibernation in place of sleep mode turns the device off, mitigating potential risks of attack on encrypted data.

## References

1. ^ [***a***](#cite_ref-WRD-20200510_1-0) [***b***](#cite_ref-WRD-20200510_1-1) [***c***](#cite_ref-WRD-20200510_1-2) [***d***](#cite_ref-WRD-20200510_1-3) [***e***](#cite_ref-WRD-20200510_1-4) Greenberg, Andy (10 May 2020). ["Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking - The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019"](https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/). *[Wired](/source/Wired_(magazine))*. [Archived](https://web.archive.org/web/20200511010343/https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/) from the original on 11 May 2020. Retrieved 11 May 2020.

1. **[^](#cite_ref-VRG-20200511_2-0)** Porter, Jon (11 May 2020). ["Thunderbolt flaw allows access to a PC's data in minutes - Affects all Thunderbolt-enabled PCs manufactured before 2019, and some after that"](https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops). *[The Verge](/source/The_Verge)*. [Archived](https://web.archive.org/web/20200511192653/https://www.theverge.com/2020/5/11/21254290/thunderbolt-security-vulnerability-thunderspy-encryption-access-intel-laptops) from the original on 11 May 2020. Retrieved 11 May 2020.

1. ^ [***a***](#cite_ref-FRBS-20200511_3-0) [***b***](#cite_ref-FRBS-20200511_3-1) Doffman, Zak (11 May 2020). ["Intel Confirms Critical New Security Problem For Windows Users"](https://www.forbes.com/sites/zakdoffman/2020/05/11/intel-confirms-critical-security-flaw-affecting-almost-all-windows-users/). *[Forbes](/source/Forbes)*. [Archived](https://web.archive.org/web/20200512213846/https://www.forbes.com/sites/zakdoffman/2020/05/11/intel-confirms-critical-security-flaw-affecting-almost-all-windows-users/) from the original on 12 May 2020. Retrieved 11 May 2020.

1. ^ [***a***](#cite_ref-TSY-2020_4-0) [***b***](#cite_ref-TSY-2020_4-1) [***c***](#cite_ref-TSY-2020_4-2) [***d***](#cite_ref-TSY-2020_4-3) [***e***](#cite_ref-TSY-2020_4-4) Ruytenberg, Björn (2020). ["Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security"](https://thunderspy.io/). *Thunderspy.io*. [Archived](https://web.archive.org/web/20200511012316/https://thunderspy.io/) from the original on 11 May 2020. Retrieved 11 May 2020.

1. **[^](#cite_ref-SW-20200511_5-0)** Kovacs, Eduard (11 May 2020). ["Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks"](https://www.securityweek.com/thunderspy-more-thunderbolt-flaws-expose-millions-computers-attacks). *SecurityWeek.com*. Retrieved 11 May 2020.

1. **[^](#cite_ref-TP-20200511_6-0)** O'Donnell, Lindsey (11 May 2020). ["Millions of Thunderbolt-Equipped Devices Open to 'ThunderSpy' Attack"](https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/). *ThreatPost.com*. [Archived](https://web.archive.org/web/20200511205240/https://threatpost.com/millions-thunderbolt-devices-thunderspy-attack/155620/) from the original on 11 May 2020. Retrieved 11 May 2020.

1. **[^](#cite_ref-BN-20200511_7-0)** Wyciślik-Wilson, Sofia (11 May 2020). ["Thunderspy vulnerability in Thunderbolt 3 allows hackers to steal files from Windows and Linux machines"](https://betanews.com/2020/05/11/thunderspy-security-vulnerability/). *BetaNews.com*. [Archived](https://web.archive.org/web/20200511142121/https://betanews.com/2020/05/11/thunderspy-security-vulnerability/) from the original on 11 May 2020. Retrieved 11 May 2020.

1. ^ [***a***](#cite_ref-SR-20200511_8-0) [***b***](#cite_ref-SR-20200511_8-1) Gorey, Colm (11 May 2020). ["Thunderspy: What you need to know about unpatchable flaw in older PCs"](https://www.siliconrepublic.com/enterprise/thunderbolt-port-hacker-vulnerability-thunderspy). *SiliconRepublic.com*. [Archived](https://web.archive.org/web/20200518045250/https://www.siliconrepublic.com/enterprise/thunderbolt-port-hacker-vulnerability-thunderspy) from the original on 18 May 2020. Retrieved 12 May 2020.

1. **[^](#cite_ref-TSY-20200417_9-0)** Ruytenberg, Björn (17 April 2020). ["Breaking Thunderbolt Protocol Security: Vulnerability Report. 2020"](https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf) (PDF). *Thunderspy.io*. [Archived](https://web.archive.org/web/20200511032830/https://thunderspy.io/assets/reports/breaking-thunderbolt-security-bjorn-ruytenberg-20200417.pdf) (PDF) from the original on 11 May 2020. Retrieved 11 May 2020.

1. **[^](#cite_ref-TC-20190226_10-0)** Staff (26 February 2019). ["Thunderclap: Modern computers are vulnerable to malicious peripheral devices"](http://thunderclap.io/). Retrieved 12 May 2020.

1. **[^](#cite_ref-VRG-20190227_11-0)** Gartenberg, Chaim (27 February 2019). ["'Thunderclap' vulnerability could leave Thunderbolt computers open to attacks - Remember: don't just plug random stuff into your computer"](https://www.theverge.com/2019/2/27/18243503/thunderclap-vulnerability-thunderbolt-computers-attack). *[The Verge](/source/The_Verge)*. Retrieved 12 May 2020.

1. ^ [***a***](#cite_ref-HR-20200513_12-0) [***b***](#cite_ref-HR-20200513_12-1) Grey, Mishka (13 May 2020). ["7 Thunderbolt Vulnerabilities Affect Millions of Devices: 'Thunderspy' Allows Physical Hacking in 5 Minutes - Do you own a Thunderbolt equipped laptop, and have bought it after 2011? Well, we've news for YOU. 7 newly discovered Intel Thunderbolt vulnerabilities have exposed your device to hackers. Learn what to do?"](https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/). *HackReports.com*. [Archived](https://web.archive.org/web/20200804174216/https://www.hackreports.com/7-thunderbolt-vulnerabillity-thunderspy-exploit-thunderbolt-hacked/) from the original on 4 August 2020. Retrieved 18 May 2020.

1. **[^](#cite_ref-YT-20200511_13-0)** codeHusky (11 May 2020). ["Video (11:01) - Thunderspy is nothing to worry about - Here's why"](https://www.youtube.com/watch?v=c9Z3hQh0NxY). *[YouTube](/source/YouTube)*. [Archived](https://web.archive.org/web/20200619195525/https://www.youtube.com/watch?v=c9Z3hQh0NxY&gl=US&hl=en) from the original on 19 June 2020. Retrieved 12 May 2020.

1. **[^](#cite_ref-msdoc-kdma-protecton-for-thunderbolt_14-0)** Staff (26 March 2019). ["Kernel DMA Protection for Thunderbolt™ 3 (Windows 10) - Microsoft 365 Security"](https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt). *Microsoft Docs*. [Archived](https://web.archive.org/web/20200422022727/https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) from the original on 22 April 2020. Retrieved 17 May 2020.

1. **[^](#cite_ref-intel-20200510_15-0)** Jerry, Bryant (10 May 2020). ["More Information on Thunderbolt(TM) Security - Technology@Intel"](https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/). [Archived](https://web.archive.org/web/20200515131640/https://blogs.intel.com/technology/2020/05/more-information-on-thunderspy/) from the original on 15 May 2020. Retrieved 17 May 2020.

1. **[^](#cite_ref-16)** ["BitLocker Security FAQ (Windows 10) - Windows security"](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-security-faq#what-are-the-implications-of-using-the-sleep-or-hibernate-power-management-options).

## External links

- [Official website](https://thunderspy.io/)

- [Video (5:54) – Thunderspy: proof of concept](https://www.youtube.com/watch?v=7uvSZA1F9os) on [YouTube](/source/YouTube_video_(identifier))

- [Video (11:01) - Thunderspy is nothing to worry about - Here's why](https://www.youtube.com/watch?v=c9Z3hQh0NxY) on [YouTube](/source/YouTube_video_(identifier))[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*]

v t e Hacking in the 2020s ← 2010s Timeline of security hacking incidents Timeline of computer viruses and worms Major incidents 2020 BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach Windows XP Service Pack 1 and Server 2003 RTM source code leaks 2021 Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack Iranian fuel cyberattack 2022 Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak Optus data breach 2023 Munster Technological University ransomware attack Capita data breach Evide data breach MOVEit data breach Insomniac Games data breach Operation Triangulation cyberattack British Library cyberattack 2024 XZ Utils backdoor Kadokawa and Niconico Change Healthcare ransomware attack Ukrainian cyberattacks against Russia 2024 WazirX hack Trump campaign hack Fur Affinity domain hijacking IRLeaks attack on Iranian banks Internet Archive data breach i-Soon leak 2024 global telecommunications hack 2024 National Public Data breach 2025 Cyberattacks on Bank Sepah 2025 Paraguay ransomware attack 4chan hacking and data breach 2025 St. Paul cyberattack Jaguar Land Rover cyberattack Collins Aerospace cyberattack 2025 cyberattack on Polish power grid 2026 Aura (security) data breach ManageMyHealth data breach Neighbourly data breach Cyberwarfare during the 2026 Iran war 2026 Canvas data breach Groups Anonymous associated events Anonymous Sudan Berserk Bear BlackCat Clop Cozy Bear DarkMatter DarkSide Dark Storm Team Dridex Ghostwriter GnosticPlayers Guacamaya Hafnium Indian Cyber Force IT Army of Ukraine Killnet Lapsus$ LightBasin LockBit OceanLotus REvil Rhysida Sandworm Sakura Samurai ShinyHunters SiegedSec Vice Society Wizard Spider Individuals Graham Ivan Clark maia arson crimew IntelBroker Kirtaner Major vulnerabilities publicly disclosed SMBGhost (2020) Thunderspy (2020) PrintNightmare (2021) FORCEDENTRY (2021) Log4Shell (2021) Account pre-hijacking (2022) Retbleed (2022) Downfall (2023) LogoFAIL (2023) Reptar (2023) Terrapin (2023) GoFetch (2024) Sinkclose (2024) Copy Fail (2026) Malware Adrozek CovidLock Drovorub Predator BlackLotus Cyclops Blink Pipedream Akira ClickFix Gayfemboy BootKitty

[Portals](https://en.wikipedia.org/wiki/Wikipedia:Contents/Portals):
- [Business and economics](https://en.wikipedia.org/wiki/Portal:Business_and_economics)
- [Computer programming](https://en.wikipedia.org/wiki/Portal:Computer_programming)

---
Adapted from the Wikipedia article [Thunderspy](https://en.wikipedia.org/wiki/Thunderspy) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Thunderspy?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.